Unexpected behavior of Set-SecureBootUEFI with the -ContentFilePath parameter

Occasional Visitor

I'm using the following 3 commands to add a new key to my Secure Boot db:

$CurrentTime=Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ";Format-SecureBootUEFI -Name db -SignatureOwner 12345678-1234-1234-1234-123456789abc -FormatWithCert -Certificate .\dbKey.cer -ContentFilePath .\FormattedContent.bin -SignableFilePath GeneratedFileToSign.bin -Time $CurrentTime -AppendWrite
.\signtool.exe sign /fd sha256 /p7 .\ /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /a /f PrivateKey.pfx /p thePassword GeneratedFileToSign.bin
Set-SecureBootUEFI -ContentFilePath .\FormattedContent.bin -SignedFilePath GeneratedFileToSign.bin.p7


The first two commands succeeds but Set-SecureBootUEFI unexpectedly produces the following prompt:

Supply values for the following parameters:
Name: 


Shouldn't it be able to obtain the name from FormattedContent.bin? This behavior isn't described anywhere in the documentation and is contrary to the behavior shown in example 2 where the command succeeds without any further prompt.
I entered "db", and then it prompted:

Time: 


Again this should have been obtained from `FormattedContent.bin`, and the behavior isn't documented anywhere.

When I repeated everything in the same session with a slight modification, Set-SecureBootUEFI succeeds immediately:

$CurrentTime=Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ";$ObjectFromFormat=Format-SecureBootUEFI -Name db -SignatureOwner 12345678-1234-1234-1234-123456789abc -FormatWithCert -Certificate .\dbKey.cer -SignableFilePath GeneratedFileToSign.bin -Time $CurrentTime -AppendWrite
.\signtool.exe sign /fd sha256 /p7 .\ /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /a /f PrivateKey.pfx /p thePassword GeneratedFileToSign.bin
$ObjectFromFormat | Set-SecureBootUEFI -SignedFilePath GeneratedFileToSign.bin.p7


The only different between the two sets of commands is that the first outputs the formatted data to a file which is then supplied as a parameter to Set-SecureBootUEFI while the second outputs the formatted data to a PowerShell object which is then piped to Set-SecureBootUEFI. Functionally both are identical and it is puzzling why they have different behavior.

0 Replies